In recent years, botnets have emerged as the attack vector of choice for cyber criminals across the world. Botnets refer to a collection of Internet-connected devices that run the same software, controlled from a centralized server. Originally, these networks were used to automate routine business tasks across corporate infrastructures. But with time, hackers learned that they could engineer massive botnets using other people's computers that would allow them to distribute malware, spam emails, and steal sensitive data on an unprecedented scale. In 2016, the much-publicized Mirai botnet took over vulnerable IoT devices including IP cameras, routers, and home appliances then used them to launch a powerful DDoS attack that crippled several major online services such as Netflix, Reddit and Twitter.
While Mirai was highly effective, it was also easy to detect and prevent. Unfortunately, its successors have been far more difficult to handle. Newer botnets exploit system vulnerabilities, and many are updated in real time for more targeted attack options. Among this new breed of botnets, Mylbot stands out for its sophistication and complexity.
What is MyloBot?
Tom Nipravsky, a security researcher at Deep Instinct first captured MyloBot during live-testing at a Tier 1 data and communication equipment manufacturer. Although security experts are still unwilling to identify an author for this botnet, many point to the fact that MyloBot scans keyboard layouts for a lack of Asian characters before attacking user’s systems, as a clear sign of its geographical origins.
MyloBot possesses a versatile array of abilities which help it infect devices while evading detection. These include:
- Anti VM techniques and sandbox techniques—Security products will often use isolated environments to execute and test unknown code before they allow it to enter organizational networks. MyloBot has recognizes virtual machines and it will alter its behavior to prevent exposure through these detection techniques. Once installed, MyloBot remains dormant on infected devices for 14 days before accessing command-and-control servers for further instructions.
- Anti debugging techniques—Debugging is another technique used to analyze the behavior, functionalities and mechanisms through which a malware works. MyloBot works to hinder these attempts at reverse engineering thus making it far more difficult to develop effective safeguards against the botnet.
- Blocks critical system services—After installation MyloBot shuts down security tools such as Windows Defender, Windows Update and specific ports on the Windows Firewall. It will also delete any applications listed in the %APPDATA% folder; this may cause an irretrievable loss of system data.
- Process Hollowing—MyloBot will launch a legitimate process and hold it in a suspended state. It will then replace the process memory with malicious code so that a second program runs in place of the original process. This helps malware blend in amongst other normal system processes.
- Code Injection and Reflective EXE—This technique involves modifying legitimate Windows processes to include malicious code, so the process does something other than it was intended to do. This capability allows MyloBot to run executables directly from the system memory without saving additional files to the disk. This is an extremely uncommon attack method only recently discovered.
How MyloBot Works
After infiltrating a victim’s computer, MyloBot can take complete control of their device and act as a gateway for delivery of a wide variety of payloads from the command-and-control server. Payloads include ransom ware, crypto currency miners, key loggers, and banking trojans designed to steal financial information. At this stage, the only way to prevent massive data loss may be to shut down systems until proper recovery processes can be into place.
Deep Instinct researchers state that MyloBot uses C&C servers which were previously linked to other malware campaigns such as DorkBot, Locky, and Redyms/Ramdo. This indicates MyloBot’s creators are organized and that they have been active for sometime. This theory is supported by the fact that MyloBot actively looks for other malware applications and processes on local folders and deletes them to keep sole control of the victim’s device. Researchers claim this is to ensure MyloBot can capture as many zombie computers as possible for its botnet. This network is then rented out to customers who can run their own payloads on the botnet platform.
Our IT security experts can help protect your data and cloud environment against even the most persistent security threats. We can also provide enterprise training to help your employees identify and avoid malicious software on the Internet. Chat with us to find out more.